input {
  tcp {
    port => {{logstash_localsyslog_port}}
    type => syslog
  }
  udp {
    port => {{logstash_localsyslog_port}}
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
elasticsearch { hosts => ["localhost:{{es_local_port}}"] }
# uncomment this for debug messages
#  stdout { codec => rubydebug }
}

input {
  beats {
    port => {{logstash_syslog_port}}
    ssl => true
    ssl_certificate => ["/usr/share/logstash/beat-forwarder.crt"]
    ssl_key => ["/usr/share/logstash/beat-forwarder.key"]
    ssl_verify_mode => none
  }
}

### workaround/hack for https://discuss.elastic.co/t/logstash-errors-after-upgrading-to-filebeat-6-3-0/135984/28

filter {
  mutate {
    remove_field => [ "[host]" ]
  }
  mutate {
    add_field => {
      "host" => "%{[beat][hostname]}"
    }
  }
}

